Now, researchers at Avast are pointing fingers at some large ad delivery platforms including Yahoo’s Yield Manager and Fox Audience Network’s Fimserve.com, which together cover more than 50 percent of online ads, and to a much smaller degree Google’s DoubleClick. In addition, some of the malicious ads ended up on Yahoo and Google sites, Avast claims.

“It’s not just the small players but the ad servers connected with Google and Yahoo have been infected and served up bad ads,” said Lyle Frink, public relations manager for Avast.

The most compromised ad delivery platforms were Yield Manager and Fimserve, but a number of smaller ad systems, including Myspace, were also found to be delivering malware on a lesser scale, Avast Virus Labs said.

Found in ads delivered from those networks was JavaScript code that Avast dubbed “JS:Prontexi,” which Avast researcher Jiri Sejtko said is a Trojan in script form that targets the Windows operating system. It looks for vulnerabilities in Adobe Reader and Acrobat, Java, QuickTime, and Flash and launches fake antivirus warnings, Sejtko said.

Users don’t need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser, Avast said.

Since the malware started spreading in late December, Avast has registered more than 2.6 million instances of it on customer computers. Nearly 530,000 of those were from Yield Manager and more than 16,300 from DoubleClick, Sejtko said.

“The Google portion of JS:Prontexi is quite small and has gotten visibly even smaller as they have taken steps to improve the situation,” Sejtko said. “That is not the case with Yahoo and Fox.”

Representatives from Fox and MySpace declined to comment.

A Yahoo representative confirmed the report and said it was investigating the situation, but didn’t provide much information. “We have identified the creatives in question and are working to make sure they been deactivated in our system,” the company said in a statement.

“Yahoo is deeply committed to providing a high-quality experience for users, advertisers, and publishers. We expect our members to support and abide by our standards and guidelines around acceptable ad content and behavior,” the statement said. “On the rare occasion that an ad is served that is in conflict with our expectations and guidelines we take action to remove it as quickly as possible.”

A Google spokesman said the company had discovered malware in ads from DoubleClick on its own and halted them. “In this case, we stopped several of the ads in question on the same day, independent of this report,” he said.

“When our automated system is able to identify a problem, we immediately stop serving the affected ads, and then work to refine our security measures to help capture and disable similar ads for all DoubleClick publishers and advertisers,” the company said in a statement.

“DoubleClick’s ad serving products maintain a security monitoring system that screens ads and is constantly adapting to respond to new developments, yet publishers are in control of what ads they serve when using DoubleClick services,” the Google statement said. “We encourage publishers to maintain good quality processes, especially in terms of the networks and advertisers they deal with, and we provide tips and tricks at http://anti-malvertising.com/tips-for-publishers.”

However, the Google spokesman said it was highly unlikely that malware was served on Google, adding that DoubleClick ads do not run on Google search.